Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Summer Badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiADC
- FortiAIOps
- FortiAnalyzer
- FortiAP
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCare Services
- FortiCarrier
- FortiCASB
- FortiConverter
- FortiCNP
- FortiDAST
- FortiData
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEdgeCloud
- FortiEDR
- FortiEndpoint
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiGuest
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiPresence
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiAppSec Cloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Support Forum
- Re: Need Sample Config – FortiGate NAC Lite + Fort...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Created on
05-09-2025
08:47 AM
Edited on
05-13-2025
02:12 AM
By
Anthony_E
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Need Sample Config – FortiGate NAC Lite + FortiAuthenticator + Intune (EAP-TLS)
I’m setting up EAP-TLS for Entra-joined devices using FortiGate NAC Lite (7.4.x) and FortiAuthenticator (6.6.x) with certs deployed via Intune SCEP.
I’ve got it mostly working but need a known-good config to compare against—especially:
-
FortiAuthenticator SCEP & RADIUS settings
-
FortiGate 802.1X interface config
-
Any Intune SCEP profile tips
If anyone can share a working example or config snippet, it’d be a huge help.
Thanks!
Labels:
- Labels:
-
FortiAuthenticator
-
FortiGate
9 REPLIES 9
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.
Thanks,
Anthony-Fortinet Community Team.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think the tag that is used is not the right one, this integration is not related to FortiNAC (as a product) but related to FortiGate and FortiAuthenticator.
- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
If you have found a solution, please like and accept it to make it easily accessible for others.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you Emirjon.
I have modified the tags accordingly.
Regards.
Anthony-Fortinet Community Team.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello any updates other than changing tags?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Modifying the tags will help to find users who can provide help.
They will help ASAP.
Regards,
Anthony-Fortinet Community Team.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Symptoms:
Windows Event Viewer logs:
Event ID 309: “Certificate enrollment failed. Error: 0x80070057 – The parameter is incorrect”
Event ID 32: SCEP request returns HTTP error (0x80190194 = 404 Not Found)
FortiAuthenticator Web Service logs:
Log ID 8819:
SCEP GetCA: Failed to retrieve requested CA, returning default CA certificate CN=CA.DOMAIN.com
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
from the description I have to assume, you have Intune as SCEP client, FortiAuthenticator as SCEP server.
SCEP is an HTTP based protocol, so HTTP logic applies (with its response codes).
First, see to reproduce an SCEP request at will and then check the logs at that time when you reproduced the issue. The logs that you shared from FortiAuthenticator are not relevant because it says that the client didn't specify which CA to return, so FortiAuthenticator returned the default one.
Your client logs say that FortiAuthenticator responded with an HTTP code 404, which is that the resource cannot be found because the requested resource does not exist. As the 404 and the FortiAuthenticator log do not match, check what the client is requesting that FortiAuthenticator answers with 404.
I don't see this as related, the CA certificate message will not return a 404 but a HTTP 200 with the CA certificate that is sent to the client.
FortiAuthenticator listens at /app/cert/scep/.
The client should make a GetCACaps request, gets a response.
Client makes a CA request, gets a response (which you log says is happening).
Client should then ask to have a certificate signed (that log will be interesting)
Your "Failed to retrieve requested CA" proves that it answers on it the link and the GetCACaps seems OK. After this, the client is supposed to make a certificate request to the FortiAuthenticator which in turn should be visible in packet capture and logs.
Debug logs can of course help and are found at https://fac-ip/debug/scepd
I don't have a sample config for Intune, but for FortiAuthenticator and certmonger:
https://community.fortinet.com/t5/FortiAuthenticator/Technical-Tip-Example-of-use-of-certmonger-and/...
In the link you can see debugs, that show the same error message you posted, but it has no relation to the function as the default CA is good.
Tip:
On FortiAuthenticator create a wildcard enrollment for test with no subject matching, to avoid issues with that for now. Add these when the rest of enrollment is working with the wildcard.
Quick guess, ignoring the 404. The SCEP client must trust the CA and needs to have its public CA installed in its trust store. You may have then issues in the Intune log about untrusted certificate as a result of the CA certificate that is returned.
Best regards,
Markus
- Markus
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So you have no samples of a working setup that leverages Microsoft Intune?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks a lot!
Anthony-Fortinet Community Team.
Labels
-
FortiGate
10,495 -
FortiClient
2,131 -
FortiManager
883 -
5.2
687 -
FortiAnalyzer
672 -
5.4
638 -
FortiSwitch
575 -
FortiAP
561 -
FortiClient EMS
551 -
6.0
416 -
IPsec
404 -
FortiMail
371 -
SSL-VPN
370 -
5.6
362 -
FortiNAC
277 -
6.2
251 -
FortiWeb
251 -
FortiAuthenticator v5.5
234 -
SD-WAN
190 -
FortiAuthenticator
168 -
FortiGuard
159 -
5.0
152 -
Firewall policy
141 -
6.4
128 -
FortiGate-VM
125 -
FortiCloud Products
116 -
FortiGateCloud
112 -
FortiSIEM
111 -
FortiToken
110 -
Wireless Controller
95 -
Customer Service
88 -
High Availability
83 -
FortiProxy
77 -
ZTNA
75 -
Routing
72 -
DNS
71 -
SAML
70 -
VLAN
70 -
Fortivoice
69 -
FortiEDR
68 -
FortiADC
67 -
BGP
66 -
Authentication
64 -
Certificate
61 -
RADIUS
58 -
LDAP
57 -
SSO
54 -
FortiSandbox
53 -
FortiLink
53 -
FortiExtender
51 -
NAT
51 -
4.0MR3
49 -
FortiDNS
44 -
VDOM
44 -
Application control
44 -
Interface
42 -
Logging
40 -
Virtual IP
39 -
FortiGate v5.4
38 -
FortiSwitch v6.4
38 -
FortiPAM
35 -
SSL SSH inspection
35 -
Web profile
35 -
FortiConnect
34 -
Automation
32 -
FortiWAN
31 -
FortiConverter
30 -
FortiGate v5.2
27 -
SNMP
25 -
SSID
25 -
Static route
25 -
Traffic shaping
24 -
API
24 -
FortiSwitch v6.2
23 -
FortiPortal
23 -
FortiGate Cloud
23 -
System settings
22 -
OSPF
20 -
WAN optimization
20 -
FortiMonitor
19 -
Security profile
19 -
Web application firewall profile
18 -
IP address management - IPAM
18 -
FortiSOAR
17 -
Web rating
17 -
FortiGate v5.0
16 -
FortiDDoS
16 -
FortiAP profile
16 -
Explicit proxy
15 -
Admin
15 -
Proxy policy
15 -
FortiCASB
14 -
IPS signature
14 -
Intrusion prevention
14 -
FortiManager v4.0
13 -
DNS filter
13 -
FortiManager v5.0
12 -
NAC policy
12 -
Traffic shaping policy
12 -
Fabric connector
12 -
FortiRecorder
11 -
Users
11 -
Port policy
11 -
FortiDeceptor
10 -
FortiAnalyzer v5.0
10 -
FortiWeb v5.0
10 -
FortiBridge
10 -
Trunk
10 -
Traffic shaping profile
10 -
Fortinet Engage Partner Program
10 -
FortiGate v4.0 MR3
9 -
RMA Information and Announcements
9 -
Antivirus profile
9 -
Authentication rule and scheme
9 -
FortiCache
8 -
FortiToken Cloud
8 -
4.0
7 -
4.0MR2
7 -
FortiAI
7 -
Packet capture
7 -
Application signature
7 -
VoIP profile
7 -
Vulnerability Management
7 -
FortiScan
6 -
FortiCarrier
5 -
FortiNDR
5 -
FortiTester
5 -
DLP profile
5 -
DLP sensor
5 -
DoS policy
5 -
Email filter profile
5 -
Protocol option
5 -
Cloud Management Security
5 -
3.6
4 -
FortiDirector
4 -
Internet service database
4 -
DLP Dictionary
4 -
Netflow
4 -
TACACS
4 -
Replacement messages
4 -
SDN connector
4 -
Service
4 -
Multicast routing
4 -
FortiDB
3 -
FortiHypervisor
3 -
Kerberos
3 -
File filter
3 -
Multicast policy
3 -
FortiInsight
2 -
Video Filter
2 -
Schedule
2 -
ICAP profile
2 -
Zone
2 -
lacework
2 -
FortiEdge Cloud
2 -
FortiGuest
2 -
FortiAIOps
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Virtual wire pair
1 -
FortiEdge
1
Top Kudoed Authors
| User | Count |
|---|---|
| 2534 | |
| 1351 | |
| 795 | |
| 641 | |
| 455 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2025 Fortinet, Inc. All Rights Reserved.